What's new
The following sections describe new features, enhancements, and changes in FortiProxy 7.2.8:
Configure a schedule for a shaping policy
FortiProxy 7.2.8 adds support for scheduling a shaping policy, which allows different traffic shaping for different days or different hours of the day without administrative intervention.
To add a schedule for a shaping policy in the GUI, use the Schedule option in the Create/Edit Shaping Policy window under Policy & Objects > Traffic Shaping > Traffic Shaping Policies > Create New/Edit. The default is always, which means the shaping policy is always applied. For more information, see Schedules.
Alternatively, use the set schedule
option in the config firewall shaping-policy
command in the CLI:
config firewall shaping-policy
edit 1
set status enable
set ip-version 4
set service-type service
set service "ALL"
set schedule "always"
set dstintf "any"
next
end
SOCKS proxy enhancements
FortiProxy 7.2.8 adds the following enhancements to SOCKS proxy:
-
UTM scan for HTTP/HTTPS over SOCKS—FortiProxy 7.2.8 redirects tunneled HTTP/HTTPS traffic over SOCKS server to the HTTP engine as HTTP/HTTPS traffic if the destination port is 80/443, respectively.
-
SOCKS L7 policy matching with webfilter rating—FortiProxy 7.2.8 supports webfilter and L7 policy match, such as url rating, and category matching for policy and SSL exempt, in SOCKS level, including HTTP/HTTPS over SOCKS. When an authentication rule exists, SOCKS4 connection is banned as SOCKS4 does not support authentication.
-
Isolating traffic from SOCKS proxy requests—FortiProxy 7.2.8 can now isolate traffic from SOCKS proxy requests when the isolator is a SOCKS forward server.
New option for enabling HTTP/HTTPS proxy
FortiProxy 7.2.8 adds the Enable HTTP/HTTPS proxy option when you create or edit an explicit proxy. The default is enabled. Alternatively, use the set http [enable|disable]
option in the config web-proxy explicit-proxy
command.
In FortiProxy 7.2.7 and earlier, HTTP/HTTPS proxy is always enabled when explicit proxy is enabled. When you enable SOCKS proxy, HTTP/HTTPS proxy is also enabled as long as the explicit proxy is enabled. There is no way to enable SOCKS proxy without enabling HTTP/HTTPS proxy. The new option provides the flexibility to enable HTTP/HTTPS proxy independently so that you can enable SOCKS proxy without enabling HTTP/HTTPS proxy.
To ensure backward compatibility, if no port is configured for a specific protocol, FortiProxy uses http-incoming-port as the default port for the protocol, regardless of whether HTTP/HTTPS proxy is enabled, as long as explicit proxy is enabled.
DNS lookup support
FortiProxy 7.2.8 adds support for arbitrary DNS lookup, which is available in the new Policy & Objects > DNS Lookup tab in the GUI. FortiProxy returns an array of associated IPs (20 entries maximum) for the specified domain (FQDN) on the specified DNS server.
Alternatively, use the new diag firewall nslookup [FQDN] [DNS-server IP or FQDN]
command:
diag firewall nslookup http://www.example.com 8.8.8.8
GUI support for isolator settings
FortiProxy 7.2.8 adds the Security Profiles > Isolator Setting page for configuring the default isolator profile and/or configure the action to perform on isolator sessions that do not match any existing policies (unmatched-session) or have missing information (defective-session).
Configure case-sensitivity for user accounts
In FortiProxy 7.2.8, you can configure whether to check case when performing username matching for local and remote user accounts using the new set username-case-sensitivity
option under config system global
:
config system global
set username-case-sensitivity [enable|disable]
end
More details for diagnosing ICAP servers
FortiProxy 7.2.8 adds ICAP server status and IP (if capable) information in ICAP HTTP error messages to aid troubleshooting. You can also view detailed status information for each ICAP server using the new diagnose wad icap list
command. Example output:
icap-server-name: server1 status: online
VDOM=root addr=ip/0.0.0.0:1344 health_check=disable
conns: succ=0 fail=0 ongoing=0 hits=0 blocked=0
monitor: succ=0 fail=0
error: stats.no_report_err=0
num_worker_load=1
Increase threat feed size limit
FortiProxy 7.2.8 increases the threat feed file size limit and line limit as follows:
|
7.2.7 and earlier |
7.2.8 |
---|---|---|
File size limit |
10 MB | 16 MB |
Line limit |
128K | 200K |
CLI changes
FortiProxy 7.2.8 includes the following CLI changes:
config firewall shaping-policy
—Use the newset schedule
option to configure a schedule for a shaping policy.- Use the new
diag firewall nslookup [FQDN] [DNS-server IP or FQDN]
command to view a list of associated IPs (20 entries maximum) for a specific domain (FQDN) on a specific DNS server. - Use the new
diagnose wad icap list
command to view detailed status information for each ICAP server. - Use the new
diag wad process
[process_name] [index](-1 means all) [<cmd>] ...(up to 32 commands)
command to send commands to workers in batches. For example,diag wad process worker 1 103 104
means sending commands 103 and 104 to worker 1. -
The new
diag wad report <PROCESS name> <INDEX>
command consolidates the following signal-based diagnose commands:-
diag wad report session
-
diag wad report user
-
diag wad report policy
-
-
The
diag test app wad
command adds support for setting a specific group of processes as diagnosis process:-
diag test app wad 2yxx
means setting No.xx process of type y (0~9) as diagnosis process. -
diag test app wad 2yyxx
means setting No.xx process of type yy (10~99) as diagnosis process. -
diag test app wad 2yyxxx
means setting No.xx x process of type yy (0~9) as diagnosis process.
-
config web-proxy explicit-proxy
—Use the newset http [enable|disable]
option to enable/disable HTTP/HTTPS proxy.config system global
—Use the newset username-case-sensitivity
option to configure whether to check case when performing username matching for local and remote user accounts.-
FortiProxy 7.2.8 replaces the target process selection commands (such as
diag test app
) withdiag wad process <PROCESS name> <INDEX>
, for example,diag wad process manager test manager
. For workers or processes with multiple instances, specify the instance index after the worker or process name. For example,diag wad process worker 0
. If no index is specified while multiple instances exist, FortiProxy defaults to index 0. This command supports the following process types:-
manager
-
dispatcher
-
worker
-
fast-match
-
informer
-
user-info
-
dev-vuln
-
cache-service-cs
-
cache-service-db
-
object-cache
-
byte-cache
-
cert-inspect
-
youtube-cache
-
user-info-history
-
debug
-
config
-
staled-worker
-
traffic
-
preload-daemon
-
TLS-fingerprint
-
image-analyzer
-
config isolator profile
—Theset right-click
andset copy-paste
options are removed.